Weeks after the FTC fined Facebook $5 billion and the company entered a $100 million settlement with the SEC, Facebook has once again made significant privacy law news—this time on the other side of the Atlantic.

On July 29, the Court of Justice of the European Union (CJEU) issued a significant opinion in the Fashion ID case regarding the use of social media plugins such as the Facebook “like” button.

Although the ruling interprets GDPR’s predecessor, the EU Data Protection Directive, it contains some important takeaways for websites subject to GDPR.

Background

The Fashion ID case arose when a German consumer advocacy organization asserted a claim against online fashion retailer Fashion ID regarding its use of a Facebook “like” button on its website. The claim alleged that the “like” button automatically transmitted personal data from Fashion ID website visitors to Facebook, regardless of whether the visitor had a Facebook profile or clicked on the “like” button, and that Fashion ID failed to obtain the visitors’ consent to, or to notify them about, Facebook’s processing.

In response, Fashion ID argued that it could not be held responsible for data transmitted through the use of the “like” button, as it had “no influence either over the data transmitted by the visitor’s browser from its website” or over whether and how Facebook used that data.

The CJEU’s Ruling

The CJEU rejected Fashion ID’s argument, holding that Fashion ID was a joint controller with Facebook of personal data transmitted to Facebook through the “like” button, even though Fashion ID had no control over what data Facebook collected or how Facebook used it.

The court stated that Fashion ID was a “controller” of website visitors’ personal data processed through the Facebook “like” button because it “exerts a decisive influence” over the processing. To that end, the court observed that:

Fashion ID’s decision to embed the “like” button “made it possible” for Facebook to process personal data where it otherwise would not have been possible;
Fashion ID was “fully aware of the fact that [the “like” button] serves as a tool for the collection and disclosure by transmission of the personal data of visitors to [Fashion ID’s] website” to Facebook; and
Fashion ID benefited commercially in the form of increased publicity for its products on Facebook’s website by embedding the “like” button.

The court therefore concluded Fashion ID was a joint controller with Facebook as to that personal data. But that conclusion did not make Fashion ID responsible for Facebook’s processing. The court clarified that Fashion ID’s liability was limited to its own collection and transmission of personal data to Facebook. Fashion ID could not be held responsible for Facebook’s subsequent processing of that data.

The court’s decision also explained that as joint controllers:

both Fashion ID and Facebook must have a legitimate interest or other legal basis underlying processing undertaken through the “like” button; and
both Fashion ID and Facebook were required to inform website visitors about the processing that each undertakes in relation to the “like” button.

How Is This Relevant to GDPR?

While the CJEU’s opinion only interpreted the Directive, this case still carries significant implications for GDPR. That’s because definitions of “controller” under GDPR and the Directive are identical, and because GDPR imposes specific requirements on parties in a joint controller relationship, including entering into a formal “arrangement” and informing data subjects about the nature of that arrangement.

What Website Operators Should Do Now

Website operators that are subject to GDPR and use third-party plugins that may process European personal data should complete the following three steps in response to the Fashion ID ruling.

Identify all social media plugins and determine how they collect and use website visitors’ personal data.

The scope of a website operator’s obligations with respect to any social media plugins used on its website, and the steps necessary to address them, will depend on the nature and extent of the collection, sharing, and other processing of personal data that results from the plugin.

This step will help calibrate subsequent compliance efforts.

Revise privacy notices to disclose any social media plugin processing and to document the legal basis for that processing, and update consent mechanisms as necessary.

The CJEU held that the website operator must provide information to data subjects about processing that occurs through social media plugins on its website. The CJEU also made it clear that each “joint controller” must have a legal basis for its processing. Website operators should update their website privacy notices to include those disclosures.

The CJEU also noted that if the basis for the social media plugin’s processing is consent, the website operator alone will be responsible for obtaining that consent because the visitor accessing the website triggers the plugin’s processing.

Ensure GDPR-required joint control arrangements are in place and assess liability allocations.

GDPR requires that joint controllers determine their GDPR compliance obligations “by means of an arrangement” between them and that the “essence of the arrangement shall be made available to the data subject.”

The website operator should thus ensure that the social media plugin provider’s terms of use address the parties’ joint control obligations. It should also ensure the joint control arrangement is adequately communicated to website visitors as part of the aforementioned updates to its privacy notice.

Website operators should also carefully assess any liability allocation term in joint control “arrangements.” GDPR provides that data subjects can enforce their rights against either controller in a joint controller relationship, and that “any controller involved in processing” will be liable for damage. As a result, website operators should assess indemnity provisions in the arrangement to determine whether ultimate liability for GDPR violations is appropriately allocated to the party responsible for those violations.

Conclusion

The Fashion ID opinion clarified that website operators subject to GDPR can be liable for personal data processing conducted by social media plugins. Website operators should revise their privacy notices and evaluate social media plugin providers’ terms of use to address compliance obligations and assess their liability exposure.

September 16, 2019/by International Practice